/etc/grr/api_acls.yaml is in grr-server 3.1.0.2+dfsg-4.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 | # GRR API authorization rules
#
# Note that the order of routers here is important. Rules will be applied
# in order from top to bottom until the first one matches. If there are
# no matches, API.DefaultRouter will be used (points by default to the
# ApiDisabledCallRouter).
#
# Therefore the routers should generally be sorted in the descending order
# from the most privileged to the least privileged. This way, if the user
# matches more than one rule, the more privileged rule will always match first.
#
# The only exception to this principle is when there are rules that work as
# exceptions, i.e. "user X has to have limited access, no matter what". Rules
# of this kind should be in the head of the rules list.
#
# Example:
# router: "ApiCallRobotRouter"
# users:
# - "user1"
# - "user2"
# router: "ApiCallRouterWithApprovalChecksWithoutRobotAccess"
# users:
# - "userFoo"
# - "userBar"
|